Google Calendar bug mistakenly invites people to your private events

A bug in Google Calendar could potentially make your private events public, it has been reported. Depending on how you name your event, Google Calendar could end up inviting people whose names or email addresses are mentioned in it.

To say this is an embarrassing bug would be an understatement, since many organisations use Google for official purposes too. The flaw was pointed out by developer Terence Eden, who explained that Google Calendar inviting someone to a private event could lead to awkward situations.

For example, Eden wrote, his wife sets reminders for herself on Google Calendar and recently she set one to remind herself to ask her boss for a pay rise. The date was set for a few months from the day but she made the mistake of adding her boss’ email address to the note. Google ended up inviting her boss to the email, much to her surprise.

While recreating the behaviour, Eden saw that if you add someone’s email to your subject line on Google Calendar, the person will be added. They won’t receive an email notification but will receive a pop-up reminder. An event when created on an Android phone will not trigger a meeting request. If you’ve added an email address not belonging to someone on Gmail, the person may or may not be sent the meeting in his calendar. When you delete the entry, the cancellation notification will always go to the person.

“There are two main risks here – the user could expose her private Gmail account and associated Google+ data, and she could also reveal her private thoughts and feelings,” Eden wrote in his blog. “Google really needs to work harder at protecting the privacy of its users.” He then sent details of the issue to Google and the company acknowledged it but also said that it believed this bug had minimal impact on user security, so it won’t be considered for a bug bounty reward.

In a statement to The Verge, Google said that it was aware of the issue and was working actively to fix it. In the meanwhile, you should avoid creating Calendar events with people’s email addresses in them, if the entry is meant for your eyes only.